Page MenuHomePureOS Tracker

Method and software apparatus to synchronize GPG (GnuPG) PGP keyrings across multiple computers
Open, WishlistPublic


I have a desktop computer, a Librem laptop, and eventually a phone and/or tablet... and with the current state of the Linux desktop, it's a big pain in the ass to use and manage GPG for a very simple reason: I can't easily keep my devices in sync over my private network (LAN).

I want to keep my private keys in sync (without ever risking data loss on that front) and also the public keys of others that I have imported.

I don't want to use public keyservers.
I prefer not to depend on a hardware smartcard.
I basically want the equivalent of nextcloud caldav/carddav for GPG, but peer-to-peer (not requiring to set up a central "server").

It is possible that just synchronizing the ~/.gnupg/ folder across the computers over SSH/SFTP with Unison might work, but I'm not tech savvy enough to know for sure. Will it work fine, or will it conflict/corrupt itself? Will it get interference from, for example, "gpg-agent", the process that is running in a GNOME session? Are GUI tools like Seahorse and KGPG etc. using inotify or some other mechanism to refresh themselves and prevent overwriting changes?

Are there other sync tools that would be better suited for this? Or tools specific to GPG? Or something we should co-develop? When searching for "unison sync gpg" I found GPG sync for example, but I have no idea if it's any good or if it can fit the "home user" P2P usecase.

Ideally we should provide a tool and method and "best practices" for users to solve this particular problem. And we should be making sure that GUI key management tools like Seahorse are properly maintained and bug-free (not the case in recent years).

Event Timeline

jeff created this task.Apr 24 2018, 11:30
jeff updated the task description. (Show Details)Apr 24 2018, 14:40
d3vid added a subscriber: d3vid.Apr 25 2018, 01:09
d3vid added a comment.Apr 25 2018, 03:15

Part of the solution may involve backing up (not syncing) your own GPG key, which could be achieved with something like Keysafe

Keysafe is packaged for Debian - but only targeted experimental: